diff --git a/api/hypershift/v1beta1/azure.go b/api/hypershift/v1beta1/azure.go index 309b58e5a4e..76c9a3efbab 100644 --- a/api/hypershift/v1beta1/azure.go +++ b/api/hypershift/v1beta1/azure.go @@ -362,7 +362,7 @@ type AzureNodePoolOSDisk struct { // +kubebuilder:validation:XValidation:rule="has(self.private) == has(oldSelf.private)",message="private cannot be added or removed after cluster creation" // +kubebuilder:validation:XValidation:rule="!has(oldSelf.topology) || has(self.topology)",message="topology cannot be removed once set" // +kubebuilder:validation:XValidation:rule="!has(self.topology) || !has(oldSelf.topology) || (self.topology == 'Public') == (oldSelf.topology == 'Public')",message="transitions between Public and non-Public topology are not supported" -// +kubebuilder:validation:XValidation:rule="!has(self.topology) || ((self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private))",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.topology) && (self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private)",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="!has(self.private) || self.private.type != 'PrivateLink' || self.azureAuthenticationConfig.azureAuthenticationConfigType != 'WorkloadIdentities' || has(self.azureAuthenticationConfig.workloadIdentities.controlPlaneOperator)",message="workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication" type AzurePlatformSpec struct { // cloud is the cloud environment identifier, valid values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33 @@ -668,7 +668,7 @@ const ( // mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may // be added in the future. // -// +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' ? !has(self.privateLink) : true",message="privateLink is forbidden when type is not PrivateLink" +// +kubebuilder:validation:XValidation:rule="self.type == 'PrivateLink' ? has(self.privateLink) : !has(self.privateLink)",message="privateLink is required when type is PrivateLink, and forbidden otherwise" // +union type AzurePrivateSpec struct { // type specifies the private connectivity mechanism used for the hosted cluster's API server. diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml index 1c41742b57a..e5e928dc898 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml @@ -5291,9 +5291,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5428,9 +5429,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml index 039f5cf6393..40083476fa4 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml @@ -5282,9 +5282,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5419,9 +5420,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml index 3acebef0f14..955788dbad9 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml @@ -5302,9 +5302,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5439,9 +5440,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml index 4daf2de45fe..fe08c90b5c2 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml @@ -5614,9 +5614,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5751,9 +5752,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index a76def974bb..6afcef0d203 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -5754,9 +5754,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5891,9 +5892,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml index a9b7aa0f7d7..9faf2cdb0f5 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -5745,9 +5745,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5882,9 +5883,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml index a4b7483426f..990cee3aae3 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml @@ -5282,9 +5282,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5419,9 +5420,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml index 6ae5927c542..abe0886f01f 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml @@ -5347,9 +5347,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5484,9 +5485,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml index deca5394369..76cee1f00bd 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml @@ -5304,9 +5304,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5441,9 +5442,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml index 5e039ba658b..bf1e2c27397 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml @@ -5300,9 +5300,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5437,9 +5438,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml index 0658922050b..a1263ec4683 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml @@ -5358,9 +5358,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5495,9 +5496,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml index 2d3ea4fb777..93eee39d119 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml @@ -5282,9 +5282,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5419,9 +5420,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml index 778d189b330..377f44044e1 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml @@ -5322,9 +5322,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5459,9 +5460,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml index 8915bf2fb64..1d833e21ca6 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml @@ -5171,9 +5171,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5308,9 +5309,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml index 1540ec8d3d4..8194e7799d5 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml @@ -5162,9 +5162,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5299,9 +5300,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml index 4b5cea37472..ee97b0bf9ea 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml @@ -5182,9 +5182,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5319,9 +5320,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml index 8a5926d9a09..03882677840 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml @@ -5494,9 +5494,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5631,9 +5632,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index e0eb8d100ec..31cb9e39a95 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -5634,9 +5634,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5771,9 +5772,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 040e4977c09..dac1ead4844 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -5625,9 +5625,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5762,9 +5763,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml index bcc6e44ccc1..a862e1dc02f 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml @@ -5162,9 +5162,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5299,9 +5300,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml index db74c118d76..f8dc77d0c2e 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml @@ -5227,9 +5227,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5364,9 +5365,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml index 1a0efedcce2..667923bb2e9 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml @@ -5184,9 +5184,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5321,9 +5322,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml index 1f8d79dfc0a..55a2555f888 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml @@ -5180,9 +5180,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5317,9 +5318,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml index a73adb34234..4dcb4e6c362 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml @@ -5238,9 +5238,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5375,9 +5376,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml index e2cff3fb651..da6e7167b43 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml @@ -5162,9 +5162,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5299,9 +5300,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml index 6595c34e17c..75d60b7d459 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml @@ -5202,9 +5202,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5339,9 +5340,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml b/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml index ed9896396e9..84fbbe40b96 100644 --- a/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml +++ b/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml @@ -548,7 +548,7 @@ tests: route: {} # --- Azure PrivateLink CEL validation --- - - name: When Azure PrivateLink type is set without privateLink config it should pass + - name: When Azure PrivateLink type is set without privateLink config it should fail initial: | apiVersion: hypershift.openshift.io/v1beta1 kind: HostedCluster @@ -613,6 +613,7 @@ tests: servicePublishingStrategy: type: Route route: {} + expectedError: "privateLink is required when type is PrivateLink, and forbidden otherwise" - name: When Azure PrivateLink type is set with privateLink config it should pass initial: | @@ -703,6 +704,8 @@ tests: topology: Private private: type: PrivateLink + privateLink: + natSubnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/nat-subnet" azureAuthenticationConfig: azureAuthenticationConfigType: WorkloadIdentities workloadIdentities: @@ -769,6 +772,8 @@ tests: topology: Private private: type: PrivateLink + privateLink: + natSubnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/nat-subnet" azureAuthenticationConfig: azureAuthenticationConfigType: WorkloadIdentities workloadIdentities: @@ -813,3 +818,140 @@ tests: type: Route route: {} expectedError: "workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication" + + - name: When Azure private is set without topology it should fail + initial: | + apiVersion: hypershift.openshift.io/v1beta1 + kind: HostedCluster + spec: + dns: + baseDomain: example.com + platform: + type: Azure + azure: + location: eastus + resourceGroupName: test-rg + vnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet" + subnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test-subnet" + subscriptionID: "12345678-1234-5678-9012-123456789012" + securityGroupID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/test-nsg" + tenantID: "87654321-4321-8765-2109-876543210987" + private: + type: PrivateLink + privateLink: + natSubnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/nat-subnet" + azureAuthenticationConfig: + azureAuthenticationConfigType: WorkloadIdentities + workloadIdentities: + imageRegistry: + clientID: "12345678-1234-5678-9012-123456789012" + ingress: + clientID: "12345678-1234-5678-9012-123456789012" + file: + clientID: "12345678-1234-5678-9012-123456789012" + disk: + clientID: "12345678-1234-5678-9012-123456789012" + nodePoolManagement: + clientID: "12345678-1234-5678-9012-123456789012" + cloudProvider: + clientID: "12345678-1234-5678-9012-123456789012" + network: + clientID: "12345678-1234-5678-9012-123456789012" + controlPlaneOperator: + clientID: "12345678-1234-5678-9012-123456789012" + pullSecret: + name: secret + release: + image: quay.io/openshift-release-dev/ocp-release:4.15.11-x86_64 + secretEncryption: + aescbc: + activeKey: + name: key + type: aescbc + services: + - service: APIServer + servicePublishingStrategy: + type: Route + route: {} + - service: OAuthServer + servicePublishingStrategy: + type: Route + route: {} + - service: Konnectivity + servicePublishingStrategy: + type: Route + route: {} + - service: Ignition + servicePublishingStrategy: + type: Route + route: {} + expectedError: "private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" + + - name: When Azure private is set with Public topology it should fail + initial: | + apiVersion: hypershift.openshift.io/v1beta1 + kind: HostedCluster + spec: + dns: + baseDomain: example.com + platform: + type: Azure + azure: + location: eastus + resourceGroupName: test-rg + vnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet" + subnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test-subnet" + subscriptionID: "12345678-1234-5678-9012-123456789012" + securityGroupID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/test-nsg" + tenantID: "87654321-4321-8765-2109-876543210987" + topology: Public + private: + type: PrivateLink + privateLink: + natSubnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/nat-subnet" + azureAuthenticationConfig: + azureAuthenticationConfigType: WorkloadIdentities + workloadIdentities: + imageRegistry: + clientID: "12345678-1234-5678-9012-123456789012" + ingress: + clientID: "12345678-1234-5678-9012-123456789012" + file: + clientID: "12345678-1234-5678-9012-123456789012" + disk: + clientID: "12345678-1234-5678-9012-123456789012" + nodePoolManagement: + clientID: "12345678-1234-5678-9012-123456789012" + cloudProvider: + clientID: "12345678-1234-5678-9012-123456789012" + network: + clientID: "12345678-1234-5678-9012-123456789012" + controlPlaneOperator: + clientID: "12345678-1234-5678-9012-123456789012" + pullSecret: + name: secret + release: + image: quay.io/openshift-release-dev/ocp-release:4.15.11-x86_64 + secretEncryption: + aescbc: + activeKey: + name: key + type: aescbc + services: + - service: APIServer + servicePublishingStrategy: + type: Route + route: {} + - service: OAuthServer + servicePublishingStrategy: + type: Route + route: {} + - service: Konnectivity + servicePublishingStrategy: + type: Route + route: {} + - service: Ignition + servicePublishingStrategy: + type: Route + route: {} + expectedError: "private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml index 31fe863e109..742c4609575 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml @@ -6133,9 +6133,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -6270,9 +6271,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml index 45bd439af93..b70562b4dbf 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml @@ -5783,9 +5783,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5920,9 +5921,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml index 85a9425723d..c56f7d18bce 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -6004,9 +6004,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -6141,9 +6142,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml index e267097b2bc..8fed73ad00d 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml @@ -6013,9 +6013,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -6150,9 +6151,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml index 3dbb3485271..ac2928451c8 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml @@ -5663,9 +5663,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -5800,9 +5801,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml index 8b61ee5d386..a2f47dbfdca 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -5884,9 +5884,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- @@ -6021,9 +6022,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go index 309b58e5a4e..76c9a3efbab 100644 --- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go +++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go @@ -362,7 +362,7 @@ type AzureNodePoolOSDisk struct { // +kubebuilder:validation:XValidation:rule="has(self.private) == has(oldSelf.private)",message="private cannot be added or removed after cluster creation" // +kubebuilder:validation:XValidation:rule="!has(oldSelf.topology) || has(self.topology)",message="topology cannot be removed once set" // +kubebuilder:validation:XValidation:rule="!has(self.topology) || !has(oldSelf.topology) || (self.topology == 'Public') == (oldSelf.topology == 'Public')",message="transitions between Public and non-Public topology are not supported" -// +kubebuilder:validation:XValidation:rule="!has(self.topology) || ((self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private))",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.topology) && (self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private)",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="!has(self.private) || self.private.type != 'PrivateLink' || self.azureAuthenticationConfig.azureAuthenticationConfigType != 'WorkloadIdentities' || has(self.azureAuthenticationConfig.workloadIdentities.controlPlaneOperator)",message="workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication" type AzurePlatformSpec struct { // cloud is the cloud environment identifier, valid values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33 @@ -668,7 +668,7 @@ const ( // mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may // be added in the future. // -// +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' ? !has(self.privateLink) : true",message="privateLink is forbidden when type is not PrivateLink" +// +kubebuilder:validation:XValidation:rule="self.type == 'PrivateLink' ? has(self.privateLink) : !has(self.privateLink)",message="privateLink is required when type is PrivateLink, and forbidden otherwise" // +union type AzurePrivateSpec struct { // type specifies the private connectivity mechanism used for the hosted cluster's API server.